Deploy a managed ruleset

You can deploy a managed ruleset at the zone level or at the account level.

To deploy a managed ruleset to a phase, use the Rulesets API.

Deploy a managed ruleset to a phase at the zone level

Use the following workflow to deploy a managed ruleset to a phase at the zone level.

Get your zone ID.
Invoke the List account rulesets operation to obtain the available managed rulesets. Managed rulesets exist at the account level, but you can deploy them to a zone. Find the ruleset ID of the managed ruleset you want to deploy.
Identify the phase where you want to deploy the managed ruleset. Ensure that the managed ruleset belongs to the same phase where you want to deploy it. To learn more about the available phases supported by each Cloudflare product, refer to the specific documentation for that product, or the Phases list.
Add a rule to the zone-level phase entry point ruleset that executes the managed ruleset. Refer to the following example for details on this step.

Example

The following example deploys a WAF managed ruleset to the http_request_firewall_managed phase of a given zone ({zone_id}) by creating a rule that executes the managed ruleset.

Invoke the Get a zone entry point ruleset operation to obtain the definition of the entry point ruleset for the http_request_firewall_managed phase. You will need the zone ID for this task.
Terminal window
```
curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/phases/http_request_firewall_managed/entrypoint" \
--header "Authorization: Bearer <API_TOKEN>"
```
```
{
  "result": {
    "description": "Zone-level phase entry point",
    "id": "<RULESET_ID>",
    "kind": "zone",
    "last_updated": "2024-03-16T15:40:08.202335Z",
    "name": "zone",
    "phase": "http_request_firewall_managed",
    "rules": [
      // ...
    ],
    "source": "firewall_managed",
    "version": "10"
  },
  "success": true,
  "errors": [],
  "messages": []
}
```

If the entry point ruleset already exists (that is, if you received a 200 OK status code and the ruleset definition), take note of the ruleset ID in the response. Then, invoke the Create a zone ruleset rule operation to add an execute rule to the existing ruleset deploying the Cloudflare Managed Ruleset (with ID efb7b8c949ac4650a09736fc376e9aee). By default, the rule will be added at the end of the list of rules already in the ruleset.

curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id}/rules" \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{
"action": "execute",
"action_parameters": {
"id": "efb7b8c949ac4650a09736fc376e9aee"
},
"expression": "true",
"description": "Execute the Cloudflare Managed Ruleset"
}'

{
  "result": {
    "id": "<RULESET_ID>",
    "name": "Zone-level phase entry point",
    "description": "",
    "kind": "zone",
    "version": "11",
    "rules": [
      // ... any existing rules
      {
        "id": "<RULE_ID>",
        "version": "1",
        "action": "execute",
        "action_parameters": {
          "id": "efb7b8c949ac4650a09736fc376e9aee",
          "version": "latest"
        },
        "expression": "true",
        "description": "Execute the Cloudflare Managed Ruleset",
        "last_updated": "2024-03-18T18:08:14.003361Z",
        "ref": "<RULE_REF>",
        "enabled": true
      }
    ],
    "last_updated": "2024-03-18T18:08:14.003361Z",
    "phase": "http_request_firewall_managed"
  },
  "success": true,
  "errors": [],
  "messages": []
}

If the entry point ruleset does not exist (that is, if you received a 404 Not Found status code in step 1), create it using the Create a zone ruleset operation. Include a single rule in the rules array that executes the Cloudflare Managed Ruleset (with ID efb7b8c949ac4650a09736fc376e9aee) for all incoming requests in the zone.

curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets" \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{
  "name": "My ruleset",
  "description": "Entry point ruleset for WAF managed rulesets",
  "kind": "zone",
  "phase": "http_request_firewall_managed",
  "rules": [
    {
      "action": "execute",
      "action_parameters": {
        "id": "efb7b8c949ac4650a09736fc376e9aee"
      },
      "expression": "true",
      "description": "Execute the Cloudflare Managed Ruleset"
    }
  ]
}'

In this example, the managed ruleset executes the behavior configured by Cloudflare. To customize the behavior of managed rulesets, refer to Override a managed ruleset.

Deploy a managed ruleset to a phase at the account level

Use the following workflow to deploy a managed ruleset to a phase at the account level.

Get your account ID.
Invoke the List account rulesets operation to obtain the available managed rulesets. Find the ruleset ID of the managed ruleset you want to deploy.
Identify the phase where you want to deploy the managed ruleset. Ensure that the managed ruleset belongs to the same phase where you want to deploy it. To learn more about the available phases supported by each Cloudflare product, refer to the specific documentation for that product, or the Phases list.
Add a rule to the account-level phase entry point ruleset that executes the managed ruleset. Use parentheses to enclose any custom conditions in the rule expression and end your expression with and cf.zone.plan eq "ENT" so that it only applies to zones on an Enterprise plan. Refer to the following example for details on this step.

Example

The following example deploys a WAF managed ruleset to the http_request_firewall_managed phase of a given account ({account_id}) by creating a rule that executes the managed ruleset. The rules in the managed ruleset are executed when the zone name matches one of example.com or anotherexample.com.

Invoke the Get an account entry point ruleset operation to obtain the definition of the entry point ruleset for the http_request_firewall_managed phase. You will need the account ID for this task.
Terminal window
```
curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/phases/http_request_firewall_managed/entrypoint" \
--header "Authorization: Bearer <API_TOKEN>"
```
```
{
  "result": {
    "description": "Account-level phase entry point",
    "id": "<RULESET_ID>",
    "kind": "root",
    "last_updated": "2024-03-16T15:40:08.202335Z",
    "name": "root",
    "phase": "http_request_firewall_managed",
    "rules": [
      // ...
    ],
    "source": "firewall_managed",
    "version": "10"
  },
  "success": true,
  "errors": [],
  "messages": []
}
```

If the entry point ruleset already exists (that is, if you received a 200 OK status code and the ruleset definition), take note of the ruleset ID in the response. Then, invoke the Create an account ruleset rule operation to add an execute rule to the existing ruleset deploying the Cloudflare Managed Ruleset (with ID efb7b8c949ac4650a09736fc376e9aee). By default, the rule will be added at the end of the list of rules already in the ruleset.

curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/{ruleset_id}/rules" \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{
  "action": "execute",
  "action_parameters": {
    "id": "efb7b8c949ac4650a09736fc376e9aee"
  },
  "expression": "(cf.zone.name in {\"example.com\" \"anotherexample.com\"}) and cf.zone.plan eq \"ENT\"",
  "description": "Execute the Cloudflare Managed Ruleset"
}'

{
  "result": {
    "id": "<RULESET_ID>",
    "name": "Account-level phase entry point",
    "description": "",
    "kind": "root",
    "version": "11",
    "rules": [
      // ... any existing rules
      {
        "id": "<RULE_ID>",
        "version": "1",
        "action": "execute",
        "action_parameters": {
          "id": "efb7b8c949ac4650a09736fc376e9aee",
          "version": "latest"
        },
        "expression": "(cf.zone.name in {\"example.com\" \"anotherexample.com\"}) and cf.zone.plan eq \"ENT\"",
        "description": "Execute the Cloudflare Managed Ruleset",
        "last_updated": "2024-03-18T18:30:08.122758Z",
        "ref": "<RULE_REF>",
        "enabled": true
      }
    ],
    "last_updated": "2024-03-18T18:30:08.122758Z",
    "phase": "http_request_firewall_managed"
  },
  "success": true,
  "errors": [],
  "messages": []
}

If the entry point ruleset does not exist (that is, if you received a 404 Not Found status code in step 1), create it using the Create an account ruleset operation. Include a single rule in the rules array that executes the Cloudflare Managed Ruleset (with ID efb7b8c949ac4650a09736fc376e9aee) for all incoming requests where the zone name matches one of example.com or anotherexample.com.

curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets" \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{
  "name": "My ruleset",
  "description": "Entry point ruleset for WAF managed rulesets",
  "kind": "root",
  "phase": "http_request_firewall_managed",
  "rules": [
    {
      "action": "execute",
      "action_parameters": {
        "id": "efb7b8c949ac4650a09736fc376e9aee"
      },
      "expression": "(cf.zone.name in {\"example.com\" \"anotherexample.com\"}) and cf.zone.plan eq \"ENT\"",
      "description": "Execute the Cloudflare Managed Ruleset"
    }
  ]
}'

In this example, the managed ruleset executes the behavior configured by Cloudflare. To customize the behavior of managed rulesets, refer to Override a managed ruleset.

Cloudflare Dashboard Discord Community Learning Center Support Portal

Cookie Settings